I made a few assumptions that may not be shared by everyone: 1. Vulnerabilities must not be publicly disclosed before they are corrected.
2. Vulnerabilities must be promptly assessed and mitigated by as small a group as possible (i.e., on a need-to-know basis). 3. Any limited disclosure of vulnerabilities is shortly followed by a broader, more public disclosure. I see the disclosure of vulnerabilities as similar to the disclosure of your password. Publicly disclosing or sharing your password before you can change it is unwise. Failure to publicly disclose a vulnerability (or your password) is not an example of "security through obscurity"; it's simply prudent to protect that information. Vulnerabilities that are under investigation must be kept under wraps. Keeping them under wraps is not intended to deceive anyone or to deprive anyone of critical information. It is a necessary step until the problem can be resolved, just as maintaining the confidentiality of your password is necessary. Limited disclosure of security bulletins is also an important step towards the public disclosure. It does not replace the public disclosure. Limited disclosure ensures all products -- not just LL products -- have an opportunity to address the vulnerability before it's widely known. Ideally any limited disclosure would only occur once LL was capable of identifying anyone attempting to use the vulnerability. If there ever was a truly exceptional case where a vulnerability was so severe that it needed to be publicly disclosed before it was corrected, then the system should be shut down until the issue was resolved. I have always taken security and vulnerabilities very seriously. I would love to know about them in advance, but I recognize and accept that it's not appropriate for me to know about them in advance. I *want* to know about them, I don't *need* to know about them. Sheet Spotter -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: December 26, 2008 11:02 AM To: Boy Lane Cc: [email protected] Subject: Re: [sldev] Viewer security vulnerability disclosure group [...] "telling everybody about a security vulnerability before remediation is available is bad." > So who decides who is "good" or "bad" to receive or > not to receive security > bulletins? [...] > > I think the only way to properly handle security issues > detected is to make everybody aware of them. [...] > > Merry Xmas! > > Boy > _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/SLDev Please read the policies before posting to keep unmoderated posting privileges
